Single-signon #64

New issue

Open

opened 2024-07-14 00:10:45 +00:00 by lukegb · 2 comments

lukegb commented 2024-07-14 00:10:45 +00:00

Member

Copy link

Are we sticking with Lix's SSO? There are good reasons to - we can leverage their moderation decisions, etc. The obvious downside is that Lix infra team members who are not Distro infra team members can still break into our stuff.

Even if we don't, do we want to stick an intermediate IdP in the middle to give us more flexibility and sovereignty over our group-assignment? This can be another Keycloak (sigh). Then if we later want to disassociate ourselves from Lix SSO it isn't a huge PITA to make sure everything is reconfigured, but it's another thing we'd have to run.

That is:

• Stick with Lix SSO (y/n)
  • If yes: Stand up an intermediate IdP? (y/n)

Are we sticking with Lix's SSO? There are good reasons to - we can leverage their moderation decisions, etc. The obvious downside is that Lix infra team members who are not Distro infra team members can still break into our stuff. Even if we don't, do we want to stick an intermediate IdP in the middle to give us more flexibility and sovereignty over our group-assignment? This can be another Keycloak (sigh). Then if we later want to disassociate ourselves from Lix SSO it isn't a huge PITA to make sure everything is reconfigured, but it's another thing we'd have to run. That is: * Stick with Lix SSO (y/n) * If yes: Stand up an intermediate IdP? (y/n)

delroth commented 2024-07-14 00:32:22 +00:00

Owner

Copy link

Are we sticking with Lix's SSO? [...] The obvious downside is that Lix infra team members who are not Distro infra team members can still break into our stuff.

I'm less worried about this than the opposite: Distro infra team members not having the right access level to change stuff on the Lix SSO. If we can get find a solution to this I don't think I care whether we use the Lix SSO or not. How likely is it for example that we'd have to do a change that involves changing Keycloak settings via the Nix config for the service, in Lix's infra repo?

I don't have strong opinions on the rest of the questions because I have 0 experience running anything IdP related and can't really judge how annoying it will be to run our own. I suspect "not too much", in practice? Especially if we can bootstrap from Lix's config.

> Are we sticking with Lix's SSO? [...] The obvious downside is that Lix infra team members who are not Distro infra team members can still break into our stuff. I'm less worried about this than the opposite: Distro infra team members not having the right access level to change stuff on the Lix SSO. If we can get find a solution to this I don't think I care whether we use the Lix SSO or not. How likely is it for example that we'd have to do a change that involves changing Keycloak settings via the Nix config for the service, in Lix's infra repo? I don't have strong opinions on the rest of the questions because I have 0 experience running anything IdP related and can't really judge how annoying it will be to run our own. I suspect "not too much", in practice? Especially if we can bootstrap from Lix's config.

lukegb commented 2024-07-14 01:06:54 +00:00

Author

Member

Copy link

Are we sticking with Lix's SSO? [...] The obvious downside is that Lix infra team members who are not Distro infra team members can still break into our stuff.

I'm less worried about this than the opposite: Distro infra team members not having the right access level to change stuff on the Lix SSO. If we can get find a solution to this I don't think I care whether we use the Lix SSO or not.

Yeah, I think that's fair - that was somewhat what I was alluding to with the "sovereignty over group-assignment", but there's potentially other stuff we'd want to do (like creating new clients, and changing what claims get released and how...)

> > Are we sticking with Lix's SSO? [...] The obvious downside is that Lix infra team members who are not Distro infra team members can still break into our stuff. > > I'm less worried about this than the opposite: Distro infra team members not having the right access level to change stuff on the Lix SSO. If we can get find a solution to this I don't think I care whether we use the Lix SSO or not. Yeah, I think that's fair - that was somewhat what I was alluding to with the "sovereignty over group-assignment", but there's potentially other stuff we'd want to do (like creating new clients, and changing what claims get released and how...)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

ofborg

vault

storage-project

block-crawlers

fix-buildbot

lukegb/rule-94

cache-lix

build02-lix

lukegb/uptime-kuma-root

hydra-metrics

builder

email-groups

cache-ipv4

format

hexchen/colmena-checker

hexy/credentials

buildbot

ckie/moarr-v4

gerrit-metrics

moar-builders

unplug-epyc

hydra-wire-up

alertmanager

fodwatch

cadvisor-containers

gerrit-http-clones

meta01

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: the-distro/infra#64

No description provided.